CVE-2026-44645: CWE-400: Uncontrolled Resource Consumption in harttle liquidjs
LiquidJS versions 10.25.7 and below contain a vulnerability where the renderLimit option intended to limit rendering time can be bypassed by using an empty {% for %} or {% tablerow %} loop body. This allows an attacker to cause uncontrolled resource consumption by iterating large collections without triggering the time limit, potentially stalling the Node.js event loop and impacting availability. The issue has been fixed in version 10.26.0.
AI Analysis
Technical Summary
CVE-2026-44645 is an uncontrolled resource consumption vulnerability (CWE-400) in the LiquidJS template engine (harttle project). The renderLimit option, designed to limit the time spent in each render() call, can be bypassed when the loop body of {% for %} or {% tablerow %} tags is empty. Because the per-iteration time check only occurs if the loop body contains at least one template node, an empty loop iterates the entire collection without limitation. This can cause a single parseAndRenderSync call to consume significantly more time than the configured renderLimit (e.g., 2.26 seconds vs. 50 ms limit), scaling linearly with the iteration count. This allows a low-privileged template author to monopolize the Node.js event loop worker thread, potentially stalling other requests and causing availability issues. The vulnerability affects versions up to and including 10.25.7 and was fixed in version 10.26.0.
Potential Impact
An attacker who can supply templates can bypass the renderLimit protection and cause excessive CPU consumption on the Node.js event loop by crafting empty loop bodies that iterate large collections. This results in denial of service by stalling event-loop workers and impacting availability of the service processing templates. There is no impact on confidentiality or integrity.
Mitigation Recommendations
A fix is available in LiquidJS version 10.26.0. Users should upgrade to version 10.26.0 or later to resolve this vulnerability. No other vendor advisories or temporary mitigations are provided. Until upgraded, deployments relying on renderLimit for DoS protection remain vulnerable to crafted templates with empty loop bodies.
CVE-2026-44645: CWE-400: Uncontrolled Resource Consumption in harttle liquidjs
Description
LiquidJS versions 10.25.7 and below contain a vulnerability where the renderLimit option intended to limit rendering time can be bypassed by using an empty {% for %} or {% tablerow %} loop body. This allows an attacker to cause uncontrolled resource consumption by iterating large collections without triggering the time limit, potentially stalling the Node.js event loop and impacting availability. The issue has been fixed in version 10.26.0.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44645 is an uncontrolled resource consumption vulnerability (CWE-400) in the LiquidJS template engine (harttle project). The renderLimit option, designed to limit the time spent in each render() call, can be bypassed when the loop body of {% for %} or {% tablerow %} tags is empty. Because the per-iteration time check only occurs if the loop body contains at least one template node, an empty loop iterates the entire collection without limitation. This can cause a single parseAndRenderSync call to consume significantly more time than the configured renderLimit (e.g., 2.26 seconds vs. 50 ms limit), scaling linearly with the iteration count. This allows a low-privileged template author to monopolize the Node.js event loop worker thread, potentially stalling other requests and causing availability issues. The vulnerability affects versions up to and including 10.25.7 and was fixed in version 10.26.0.
Potential Impact
An attacker who can supply templates can bypass the renderLimit protection and cause excessive CPU consumption on the Node.js event loop by crafting empty loop bodies that iterate large collections. This results in denial of service by stalling event-loop workers and impacting availability of the service processing templates. There is no impact on confidentiality or integrity.
Mitigation Recommendations
A fix is available in LiquidJS version 10.26.0. Users should upgrade to version 10.26.0 or later to resolve this vulnerability. No other vendor advisories or temporary mitigations are provided. Until upgraded, deployments relying on renderLimit for DoS protection remain vulnerable to crafted templates with empty loop bodies.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T15:30:10.875Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a332119f198dc38c11faa50
Added to database: 6/17/2026, 10:35:05 PM
Last enriched: 6/17/2026, 10:50:34 PM
Last updated: 6/18/2026, 3:00:10 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.